Security & Compliance

Privacy Policy

Last Updated: June 15, 2026. This policy establishes how BossAi process, stores, and protects all commercial transactions, merchant accounts, and device configurations.

Need Assistance?

For inquiries concerning database scoping, security certificates, or encryption protocols, contact our support team.

Contact Security

1. Introduction & Scope

Welcome to BossAi ("we," "our," "us"). We operate the business management platform, point-of-sale terminal software (the "POS App"), API gateway, storefront checkout systems, and associated applications (collectively, the "Service").

This Privacy Policy describes how we collect, store, isolate, and safeguard data from business operators, employees, end-customers, and website visitors. By accessing or using our Service, you agree to the collection and use of information in accordance with this policy.

Note on Multi-Tenant Isolation: BossAi enforces strict database-level Row-Level Security (RLS) policies. Your operational data (menus, transactions, staff roles) is isolated by tenant and outlet IDs and is completely inaccessible to other merchants.

2. Data We Collect

A. Account & Business Registration Data

When an owner or authorized manager signs up for BossAi, we collect business name, business type, phone number, physical address, logo assets, tax registry information, and email address. We also assign a unique, sequential system identifier (e.g. B-XXXXX).

B. Point of Sale & Customer Transaction Data

During normal retail or dining checkout routines, we log transaction data including menu/product items purchased, pricing totals, payment modes (cash, UPI, credit card, split payment), timestamps, and optional customer contact tags (name and phone number for digital receipt delivery).

C. Device & Local Print Bridge Logs

To ensure terminal and printing stability, the Service logs local terminal operating system details, network IP addresses of thermal receipt printers, and Electron Desktop Print Bridge connection status. We do not inspect payloads sent locally to USB/Network printers beyond generating the physical ticket commands.

3. How We Use Your Data

We use the collected information for various operational, security, and optimization purposes:

  • To provide and maintain our Service: Including transaction routing, digital invoice generation, and kitchen status displays.
  • To process payments securely: Facilitating UPI address registration and mapping storefront checkouts to merchant bank endpoints.
  • To optimize local hardware: Ensuring print queues, receipt templates, and kitchen display station (KDS) events are synchronized with lowest lag.
  • To support sales and operations: Onboarding details and staff registration requests appear in real-time on our support dashboard so our engineers can assist you instantly.
  • No Advertising/Selling: We never sell your operational or transactional data to third-party ad networks.

4. Tenant Isolation & Security Scoping

Our backend architecture operates on a strict multi-tenant schema model, isolated via Supabase PostgreSQL policies:

Row-Level Security (RLS)

Every database query is bound by policies checking the caller’s validated JWT authentication token against the business ID. Cross-tenant queries are blocked at the database execution tier.

Outlet-Level Partitioning

Menus, orders, and printing nodes are mapped to individual outlet IDs. Staff members are constrained to operations inside their assigned outlet workspace.

Our APIs enforce explicit join patterns to avoid ambiguous database relationships, keeping order states cleanly synced between storefront checkouts and active POS terminals.

5. Data Sharing & Third-Parties

We do not share your commercial data with third parties except under the following conditions:

  • Hosting & Cloud Providers: Supabase (PostgreSQL hosting) and Firebase (asset hosting/storefront validation) handle backend storage. Both comply with industrial security practices.
  • Legal Compliance: We may disclose information if required to do so by law or in response to valid requests by public authorities.
  • Business Transfer: If we are involved in a merger, acquisition, or asset sale, your data remains subject to the privacy guarantees established prior to the transfer.

6. Policy Revisions & Updates

We reserve the right to update or modify this Privacy Policy at any time. We will notify you of any material changes by posting the new version on this page and updating the "Last Updated" date at the top of the policy.

We recommend checking this Privacy Policy periodically to stay informed about how we safeguard and manage business information.